Re: [RFC] Security policy reworks for SE-PostgreSQL

All of lore.kernel.org
 help / color / mirror / Atom feed

From: KaiGai Kohei <kaigai@kaigai.gr.jp>
To: Andy Warner <warner@rubix.com>
Cc: KaiGai Kohei <kaigai@ak.jp.nec.com>,
	cpebenito@tresys.com, method@manicmethod.com,
	selinux@tycho.nsa.gov, refpolicy@oss.tresys.com
Subject: Re: [RFC] Security policy reworks for SE-PostgreSQL
Date: Wed, 01 Apr 2009 05:34:52 +0900	[thread overview]
Message-ID: <49D27E6C.5000106@kaigai.gr.jp> (raw)
In-Reply-To: <49D23288.2030807@rubix.com>

> I am referring to things like:
> 
> mlsconstrain { db_tuple } { use select }
>     (( l1 dom l2 ) or
>      (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
>      ( t1 == mlsdbread ) or
>      ( t2 == mlstrustedobject ));

I noticed the db_xxx:{use} permission remained here. :-)

> where t1 == mlsdbread seems to imply an object is trusted to read 
> strictly dominating objects. Unless I am missing the meaning here, I 
> would call this a MAC override. I realize there is no concept of a TE 
> override, but MLS is part of MAC, no? And, this violates B&L rules. This 
> is something we would control with a Security Administrator "role". Or, 
> is this mlsdbread something that is impossible to give to a domain in a 
> DBMS policy?

It is different from my usage of terms.
Some of domains are allowed to access the tuple, and others are
disallowed as the result of access controls using the security
policy.

I understood the term of "MAC override" to express what actions
are allowed without any checks based on security policy, as if
root stuff can ignore DAC checks.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

WARNING: multiple messages have this Message-ID (diff)

From: kaigai@kaigai.gr.jp (KaiGai Kohei)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL
Date: Wed, 01 Apr 2009 05:34:52 +0900	[thread overview]
Message-ID: <49D27E6C.5000106@kaigai.gr.jp> (raw)
In-Reply-To: <49D23288.2030807@rubix.com>

> I am referring to things like:
> 
> mlsconstrain { db_tuple } { use select }
>     (( l1 dom l2 ) or
>      (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
>      ( t1 == mlsdbread ) or
>      ( t2 == mlstrustedobject ));

I noticed the db_xxx:{use} permission remained here. :-)

> where t1 == mlsdbread seems to imply an object is trusted to read 
> strictly dominating objects. Unless I am missing the meaning here, I 
> would call this a MAC override. I realize there is no concept of a TE 
> override, but MLS is part of MAC, no? And, this violates B&L rules. This 
> is something we would control with a Security Administrator "role". Or, 
> is this mlsdbread something that is impossible to give to a domain in a 
> DBMS policy?

It is different from my usage of terms.
Some of domains are allowed to access the tuple, and others are
disallowed as the result of access controls using the security
policy.

I understood the term of "MAC override" to express what actions
are allowed without any checks based on security policy, as if
root stuff can ignore DAC checks.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

next prev parent reply	other threads:[~2009-03-31 20:34 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-31  8:55 [RFC] Security policy reworks for SE-PostgreSQL KaiGai Kohei
2009-03-31  8:55 ` [refpolicy] " KaiGai Kohei
2009-03-31 10:05 ` Andy Warner
2009-03-31 10:05   ` [refpolicy] " Andy Warner
2009-03-31 13:51   ` KaiGai Kohei
2009-03-31 13:51     ` [refpolicy] " KaiGai Kohei
2009-03-31 15:11     ` Andy Warner
2009-03-31 15:11       ` [refpolicy] " Andy Warner
2009-03-31 20:34       ` KaiGai Kohei [this message]
2009-03-31 20:34         ` KaiGai Kohei
2009-03-31 20:39         ` Andy Warner
2009-03-31 20:39           ` [refpolicy] " Andy Warner
2009-03-31 20:46           ` Joshua Brindle
2009-03-31 21:08             ` Andy Warner
2009-03-31 21:08               ` [refpolicy] " Andy Warner
2009-04-01 17:05               ` Joshua Brindle
2009-04-01  0:30 ` KaiGai Kohei
2009-04-01  0:30   ` [refpolicy] " KaiGai Kohei
2009-04-02  8:15 ` KaiGai Kohei
2009-04-02  8:15   ` KaiGai Kohei
2009-04-02 14:27   ` Joshua Brindle
2009-04-02 15:09     ` Christopher J. PeBenito
2009-04-02 15:09       ` Christopher J. PeBenito
2009-04-03  1:17       ` KaiGai Kohei
2009-04-03  1:17         ` KaiGai Kohei
2009-04-03 18:12         ` Joshua Brindle
2009-04-05  0:52           ` KaiGai Kohei
2009-04-05  0:52             ` KaiGai Kohei
2009-04-06  2:15         ` KaiGai Kohei
2009-04-06  2:15           ` KaiGai Kohei
2009-04-06 18:48           ` SELinux packages version (svn2950) Hasan Rezaul-CHR010
2009-04-06 19:18             ` Joshua Brindle
2009-04-06 19:48               ` Hasan Rezaul-CHR010
2009-04-06 20:14                 ` Joshua Brindle
2009-04-06 20:30               ` Hasan Rezaul-CHR010
2009-04-06 20:37                 ` Joshua Brindle
2009-04-12 23:45           ` [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL KaiGai Kohei
2009-04-12 23:45             ` KaiGai Kohei
2009-04-20 20:07           ` Christopher J. PeBenito
2009-04-20 20:07             ` Christopher J. PeBenito
2009-04-20 23:27             ` KaiGai Kohei
2009-04-20 23:27               ` KaiGai Kohei
2009-05-07 12:24               ` Christopher J. PeBenito
2009-05-07 12:24                 ` Christopher J. PeBenito
2009-05-08  3:56                 ` KaiGai Kohei
2009-05-08  3:56                   ` KaiGai Kohei
2009-05-08  4:05                   ` KaiGai Kohei
2009-05-08  4:05                     ` KaiGai Kohei
2009-05-21 11:49                     ` Christopher J. PeBenito
2009-05-21 11:49                       ` Christopher J. PeBenito
2009-05-08  4:12                   ` KaiGai Kohei
2009-05-08  4:12                     ` KaiGai Kohei
2009-05-22 13:38                     ` Christopher J. PeBenito
2009-05-22 13:38                       ` Christopher J. PeBenito
2009-05-21 11:28                   ` Christopher J. PeBenito
2009-05-21 11:28                     ` Christopher J. PeBenito
2009-04-21  2:51             ` KaiGai Kohei
2009-04-21  2:51               ` KaiGai Kohei
2009-05-07 13:08               ` Christopher J. PeBenito
2009-05-07 13:08                 ` Christopher J. PeBenito
2009-04-03  0:25     ` KaiGai Kohei
2009-04-03  0:25       ` KaiGai Kohei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49D27E6C.5000106@kaigai.gr.jp \
    --to=kaigai@kaigai.gr.jp \
    --cc=cpebenito@tresys.com \
    --cc=kaigai@ak.jp.nec.com \
    --cc=method@manicmethod.com \
    --cc=refpolicy@oss.tresys.com \
    --cc=selinux@tycho.nsa.gov \
    --cc=warner@rubix.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.